The infection chain begins with a compromised site being injected with the pseudoDarkleech script. The script is basically a malicious iframe that points to the Rig Exploit Kit landing page. Below is an image of the script on the compromised site:

The next phase of the infection chain begins when the host is redirected to the Exploit Kit landing page. Once the host retrieves the landing page from the server scripts are run to determine if the host is vulnerable to particular exploits. Below is the TCP stream showing the request for the landing page, Flash exploit, and payload (in that order):

This time the Rig Exploit Kit server sent an executable instead of a .DLL. Below are the files dropped in %TEMP%. The executable followed the naming convention that we are use to seeing these days which is “rad[5 alphanumeric characters].tmp.exe” or “.dll”.

Once the system was infected the usual CryptMIC ransom notes were dropped onto the Desktop and into various folders:

I recommend blocking all the IPs and domains listed above in the IOCs section.